I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Another New iPhone Security Flaw Offers A Reminder: Turn Off Siri On Your Lockscreen

Apple watchers have been warning for years that Siri’s loose lips can leak secrets from a locked iPhone. Now a new security bug offers a more pressing reason than ever to turn her off on the phone’s lockscreen.

Late last week Israeli security researcher Dany Lisiansky spotted another in a growingseries of bugs in iOS 7′s lockscreen on the iPhone that allows anyone to bypass the security code or fingerprint reader to access the phone’s calling application, contacts, and voicemail. This trick works by using Siri to make a phone call and then triggering a glitch in the phone’s Facetime function.

Lisiansky explains in his step-by-step instructions accompanying the video:

1. Make a phone call (with Siri / Voice Control). 2. Click the FaceTime button. 3. When the FaceTime App appears, click the Sleep button. 4. Unlock the iPhone. 5. Answer and End the FaceTime call at the other end. 6. Wait a few seconds. 7. Done. You are now in the phone app.

Here’s Lisiansky’s video showing the trick in action:

In fact, security-conscious users should have disabled Siri on their lockscreen long ago. By default, and apparently by Apple’s design, Siri has long allowed anyone to pick up a locked phone and use voice commands to post to Twitter or Facebook, send emails and text messages, access the user’s calendar, make calls and even ask about specific contacts’ personal information like addresses and phone numbers–including that of the phone’s owner.

While that’s made Siri more convenient, it’s also posed a serious privacy problem. Security pundits like Graham Cluley, formerly of the firm Sophos, have warned since Siri first appeared that leaving the feature enabled on an iPhone’s lockscreen is little better than leaving a phone unlocked altogether. “Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command,” Cluley wrote back in 2011. “I’m sure you can imagine some of the ways this could potentially be abused.”

Luckily the fix for that problem remains a simple one: Disable Siri on the phone’s lockscreen. In iOS 7, users can do so by toggling the Siri switch under the “Passcode and Fingerprint” submenu (or simply “Passcode” on phones other than the 5s) on the “General” menu of the phone’s settings. If you haven’t done it already, Lisiansky’s new bug presents a good reason to do it now.

Apple rushed to provide a fix for those flaws in a software update last Thursday. But Lisiansky’s YouTube video revealing yet another new lockscreen bug was posted just a day later, adding to what may be the buggiest version of iOS yet from a security perspective.

I’ve contacted Apple for comment, and I’ll update this post if the company responds. No doubt it will release a patch for the Siri flaw, too. But users would be wise not to wait: It only takes a few seconds to prevent Siri from spilling your secrets to strangers.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Hi Andy and thanks so much for your updates on time. I’ve updated my iPhone 5 to iOs 7, but now I can’t find the “Passcode and Fingerprint” under “General”, because without having a fingerprint device the menu doesn’t exist. So I don’t have other chances than totally deactivating Siri, or wait until the fix release.

I REALLY FEEL SORRY FOR THE LITTLE WEASELS THAT HAVE TOO MUCH TIME TO DO THIS …TRYING TO TAKE APART ALL OF APPLE’S QUALITY PRODUCTS. GET A LIFE! ISRAELI BOY. NO OTHER COMPANY IN THE WORLD GETS THE SAME KIND OF SCRUTINY THAT AAPL HATERS GIVE TO AAPL’S TOP OF THE LINE IPHONE’S AND IPAD’S. BY THE WAY , AT&T HAS A PLAN THAT YOU CAN PAY $39.OO A MONTH WITH “0″ DOWN AND YOU CAN GET THE IPHONE 5-S WITH 64 GIGS OF MEMORY/STORAGE , OR I CHOOSE $32 A MONTH AND WILL TRADE IT IN FOR IPHONE 6 AFTER 1 YEAR , AND ONLY PAY 32 A MONTH GREAT DEAL

You double down on the pay for that At&t plan. They already implicity charge for the device via the higher cost of service. Take the same plan from At&t and compare it with Virgin Mobile ( where the device cost needs to be paid ). The difference is about 30-40$ a month.

Now with “0″ down, you pay an additional 39$ a month to the already higher cost of 30-40$ a month. In short you are paying twice for the device and you call it a great deal ?

I am stupefied, stunned, amazed since this is the first time I have heard some one getting ripped off is calling a deal a great one :). Good Luck.

Security conscious users should be buying a BlackBerry Z10 and dumping the iphone and androids.. Much amidst all the created negativity around BlackBerry, the Z10 is pretty slick. Yeah, companies do go through a rough time, but restructure and come back. Atleast Blackberry is not asking for bailouts.

Hey Andy, I updated my iPhone 4s and did find this flaw on the same day. This is really getting serious now with lots of issues and on 4s to deactivate Siri we have to go under “General – Passcode Lock” .

I hope they fix it soon, but I never expected this kinds of flaws from Apple .